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Clients connect to on. network - «~ 

resources on other ^ ^ "-net 

r<j»ted Iron on. network to the x Mn 

Protocol (IP) makes this possible. »» ""V*! «. not 
.1=0 be used to create private network, that are not 
^.ctly connected to the mternet. These networks are 
SiS Intranet,. *>.se intranets can >- ^ 

area to remote o«ices ^J^J^; 
eie in a way the same intranet b '=™ 8 « o£ lvat . 

internet at . tunneling ™>diu». DM*— of conplxnc an 
internet « a * _ *_ rfl ff^ for a 

intranet directly to the Internet, the ' 
rtoot. ofiic. is encapsulated and M=wted "JT^* 

— -i nr z r r Jdr rs. ^=£- 

remote office, the ^ U8ually call « d a 
olaced In "the local notworK. 

virtual Private »etwork |M). ror the end «-» « ^ <? s 

like a single private network, hut the public Intern., rs 
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used to securely transport data traffic between remote 
places. 

In, the internet Protocol (IP) routing decisions are xa.de 
ini tne -m , IP ia a 32-bit number. On 

oni addresses. An address in a* 

2- Internet, every host r.=uiree at least one unl^e 
n ^.r ^ be able « — i-t.. This uni,u. num»r 
be used b, any oth.r !«. on the Intern.*- » 
Rectal official body allocates th.se If numbers, and 
Setnet routers all over the world must *ao. - « « 
these IP numbers to the correct hosts. To somplify the 
routing and due to so™ ordinal design =-1- £ 
42IM967296 possible numbers ar. running out. For t 
reason there are a number of number ranees that are 
reserved which anybody can use privately in e£ >£^£- 
intranet. However. IP packets <*nnot be rout.d over the 

Internet -1th a ^* ^ ^? m ™^ 

consequently must remain within the pnvat 
t"s creates a problem when users of such an intranet ^vlth 
hist numbers in these number ranges want to access the 

Internet. 

T»ere ar. two basic vary close solutions to this problem, 
Z is the us. of a firewall and the oth.r is : -in, 
network address translation (NAT) . n 3 i„g a firewall, all 
acc.ss to the Internet 1, terminated at a f.re-.all 
center that is connected both to the Internet and to the 
tSr.net. This firewall then looks at the access from the 
intranet and acts as a proxy to the Inter».t ^ « °™ 
public IP number that is valid on th. internet. Ho».«r, 
Hroxy requires a program that knows about th. proto-ol^ 
other solution using « has a computer acting «s a 
gateway between the Internet and the J^Z 
picket directed to the Infrnet is processed by a pro,ram 
Lat replaces/translates th. address - Port of the 
picket, and k..ps a track of on who', behalf 
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adaress i. translated back to the original addresa. HAT 
Li a very transplant solution but unfortunately has 
prpblei/with some protocol. which then reouxraa special 

5 measures . 

A .user do.* not have to use IP numbers to addrea* a 
^fcet. -an a user .sea a na*. as an ^ address the,,^ 
social application aerva r is^ ^ ^ 

10 th* name into an IP number- «n 

Naa e system (DNS) is used for naming. This » a 
hSLrcLcal scheme vhere a DNS server can provide the 
Elation fox a domain or it can loo. up the name vis/in 
another name server. If a DNS server co ^= is ^^ le %^ 
15 a Idomain, then it is authoritative for that domain Each 
D«S server is registered in a parent DNS server, this is 
done recursively until the root DNS servers are reacted^ 
Private intranets also require special handling of the 
DNS. A host on the inside of the intranet should not be 
20 visible on the outside, i.e. on the Internet, because it 
hasl private number. However, when NAT is used, hosts, on 
tl>e outside of the intranet are required to be present in 
tL local intranet DNS. This is called a splxt universe 

Dtis. 

T&e real problems start when someone on the Internet wonts 
private access to a host on an intranet with a pn^te 
Bering scheme, or when two intranets with private 
numbering schemes want to connect privately. For example, 
assume that two companies, each with their <>«» 
intranet, decide to co-operate on a project and that -hey 
therefore want to share a number of resources on t.eir 
respective intranets. This will cause a number of 
problems. The intranets cannot directly be routed to *ach 
35 other because the IP numbers used potentially overlap. 
Mbst probably the respective DNS of both companies are 
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sez-up as split universe DNSs and thus have no Knowledge 
cf : each other's hosts. The normal f <*™^*** ° ^ 
internet D«S does not help since the domain of the ue 
company does not expose the internal hosts with private IP 
5 Thus, since the internal hosts cannot 

other, it is impossible to route anything between them. 

There have been a number of different solutions out 
rorTard. unfortunately the -own solutions either does 
10 not worlc for all protocols or they requx re complex 
administration or suffer from ^h disadvant ages. For 
example, proxying is a solution to the problem 
service that the companies want to share they have, . * 
publicly addressable host that contains a proxy or th 
15 slvice. This proxy does the mapping from £ 
! tH e inside. A disadvantage of proxying Is that it 
requires a significant amount of administratxon to set 
X up and then to keep them aligned with the origanal 
^sources, mother disadvantage is that not all protocols 
20 are easy to proxy or have existing proxies Another 
solution to the problem is' to renumber the ^trane- 
that a non-overlapping address space is created. A single 
DBS can then be used. However, this is a very 
and heavy operation making it virtually i^ossUole if the 
25 companies only co-operate on a pro,-* basis his 
solution also requires a significant amount of t..ust 
between the parties in question. 

Ai suggestion has also been' disclosed in US patent nuictoer 
30 51898,830 to Wesinger, Jr. et al. (Wesinger) . The 
Wesinger patent discloses a method of sett ing u, , virtual 
hosts in firewalls and using name based routing. The 
solution allegedly provides a full transparency for the 
users. However, this solution also only forwards hosts 
35 aLd not networks and it also requires quite a bit of 
aldministration . 
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Th=re is thus a need to improve the methods of providing 
access to one or more hosts of a private intranet from che 
outside of the intranet with full transparency to users 
5 anB a simple administration. 



SUMMARY OF THE INVENTION 

10 bka object of the invention is to define a method and a 
system for transparently accessing hosts within a prxvate 
iritranet- 

t 

Another object of the invention is to define a method and 
15 a isystem for transparently accessing a host within private 
iritranet by name. 

A I further object of the invention is to define a method 
and a system for accessing hosts within a private intrc.net 
20 with minimal administration. 

A' still further object of the invention is to define a 
method and a system for accessing hosts within a private 
intranet with security control and access control 
25 administration at the private intranet. 

The aforementioned objects are achieved according to the 
invention by a method and a system for establishing a 
connection between a first computer of a first computer 
30 network and a resource, such as a second computer, of a 
second computer network via a third network through a 
gateway, such as a firewall, intervening between the 
second computer network and the third network. A requester 
i«aue a a request for a connection from the first computer 
35 to the resource by specifying a name of the resource. A 
temporary IP number is returned to the first computet in 
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answer to the request. The temporary IP number is mapped 
to'- a tunnel to the gateway. The gateway administrates the 
handling of data packets such that data packets addressed 
by the first counter to the temporary IP number, arnyng 
, through the tunnel, are routed to the resource and data 
packets arriving from the resource destined to the first 
coUter, are routed through the tunnel to the fi»t 
computer. 

3 Th- aforementioned objects are also achieved according to 
t „e invention by a method of establishing a connection 
between a first computer of a first computer network and a 
re-source of a second computer network via a third netwcrk. 
The connection iB established along a route through an 
5 intermediate system having an interface to the f rst 
computer network, and through a gateway integer ing 
between the second computer network and the thxrd network. 
The resource belongs to the domain of the gatevay. 
According to the invention the method comprises a number 
«0 of steps- A first step configuring the intermediate system 
with a tunnel from the intermediate system to the gateway. 
A second step mapping the tunnel with a requester and a 
domain name of the gateway. A third step wherein the 
requester issues a request for a connection from the f:.rst 
25 computer to the resource by specifying a name of the 
resource. A fourth step receiving the request at the 
intermediate system via the interface. A fifth step u^ing 
a> rule for matching the name of the resource with the 
gateway. A sixth step mapping the name of the resource to 
30 the tunnel. A seventh step returning a temporary IP nuinber 
to the first computer in answer to the request. An eighth 
step mapping the temporary IP number to the name of the 
r-source. A ninth step wherein the gateway administrates 
the handling of data packets such that: data packets 
35 addressed by the first computer to the temporary IP 
nbmber, arriving through the tunnel, are routed to the 
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r^ource. And a tenth step wherein the gate-ay 
administrating the handling of data packets such that data 
paickets arriving from the resource destined to the first 
computer, axe routed through the tunnel to the first 
5 computer via the intermediate system. It is to he 
understood that the steps according to the mventxon do 
net indicate any sequential execution, but is merely a 
mainner to distinguish them. 

10 The method can advantageously further comprise the step of 
transmitting a message with the mapping of the temporary 
l£ number to the gateway by means of the tunnel. 

Preferably the step of the gateway administrating the 
15 handling of data packets such that data packets addressed 
by the first computer to the temporary IP number, arriving 
through the tunnel, are routed to the resource, comprises 
the substep of directing the intermediate system to 
translate source addresses of data packets addressed to 

20 the temporary IP number to be sent through the tunnel. The 
step of the gateway administrating the handling of data 
packets such that data packets addressed by the f_rst 
computer to the temporary IP number, arriving through the 
tunnel, are routed to the resource, can comprise the 

25 substep of directing the intermediate system to trans .ate 
destination addresses of data packets addressed to the 
temporary IP number to be sent through the tunnel, by 
means of at least a partial DNS function in the 
intermediate system. 

30 

AHvantageously the step of the gateway administrating the 
handling of data packets such that data packets addressed 
by the first computer to the temporary IP number, arri^ng 
through the tunnel, are routed to the resource, can 
35 comprise the substep of the gateway translating source 
• addresses of data packets arriving through the tunnel 
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addressed to the temporary IP number and routing these 
dafca packets to the Resource. The step of the gate-ay 
administrating the handling of data packets such that data 
packets addressed by the first computer to the «**°*~V 
l3 number, arriving through the tunnel, are routed to the 
resource, can comprise the substep of the gateway 
translating destination addresses of data packets arriving 
though the tunnel addressed to the temporary » ~ 
arid routing, these data packets to the resource. The step 
o7the gateway administrating the handling of *t» P.ckt. 
such that data packets arriving from the resource ****™ d 
to the first computer, are routed through the tunnel to 
; the first computer via the intermediate system, can 
comprise the substep of the gateway translating source and 
destination addresses' of data packets arriving from the 
resource destined to the first computer, and routing these 
data packets through the tunnel to the first computer via 
the intermediate system. 

m some versions the step of the gateway administrating 
the handling of data packets such that data packets 
arriving from the resource destined to the first computer, 
are routed through the tunnel to the first computer via 
the intermediate system, can comprise the substep of 
25 directing the intermediate system to translate source and 
destination addresses of data packets arriving from the 
resource via the tunnel destined to the first computer. 

Ih some versions the third network is a telecommunications 
30 network, in other versions it is the Internet, i.e. a 

computer network. 

ajdvantageously the rule for matching the name of the 
resource with the gateway can be based on a mapping, 
35 and/or based on a list of hosts, and/or based on a regular 
ox wildcard expression, and/or based on matching a domain 
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nalrne of the name of 4e resource with the domain name of 

thle gateway. 

i i 

Preferably -the method further comprises the step of 
5 authenticating the requester at the first computer for 

access to the tunnel- ; 

i 

Iri some versions the' heme of the resource corresponds to a 
second computer within the second computer network, the 
10 second computer belonging to the domain of the gateway and 
comprising the resource. Then preferably the gateway 
administrates the handling of data packets such that oata 
packets addressed by jthe first computer to the tempo* ary 
IP number, arriving through the tunnel, are routed to the 

15 resource residing on i the second computer. Otherwise in 
other versions the gateway administrates the handling of 
d^ta packets such that data packets addressed by the first 
computer to the temporary IP number, arriving through the 
tunnel, are routed to; the resource, the resource residing 

20 ,o^l a proxy of the Wcond computer. Advantageously the 
proxy to which the gateway routes data packets addressed 
by the first computet to the temporary IP number, is xn 
dependence on an identity of the requester. 

25 One or more of the features of the above described 
different methods -according to the invention can be 
cbmbined in any desired manner, as long as the features 
are not contradictory. 

30 The aforementioned . objects are achieved in accordance 
with the invention also by a device arranged to establish 
a. connection between | a first computer of a first computer 
network and a resou^e of a second computer network via a 
third network. The jconnection being established along a 

35 rioute through the device having an interface to the first 
computer network, and through a gateway intervening 
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between the second computer network and the third 
network. The resource belongs to the domain of the 
gateway. According toj the invention the device comprises 
a mumber of means arranged to carry out the invention • 
flirst means arranged to configure a tunnel from the 
device to the gateway. A second means arranged to map the 
tunnel with a requester and a domain name of the gttmy. 
A • third means arranged to receive a request, xssue d by 
the requester, via the interface for a connection from 
tri. first computer to the resource by specifying a rame 
of the resource- A fourth means arranged to use a rule 
for matching the name! o£ the resource with the gateway . A 
fifth means arranged ! to map the name of the resource to 
! the tunnel. A sixth means arranged to return a temporary 
15 IF number to the fir* computer in answer to the request. 
Ai seventh means arranged to map the temporary IP number 
to the name of the resource. An eighth means arranged to 
cooperate with the gateway administrating the handling of 
data packets such that data packets addressed by the 
first computer to *he temporary IP number, arrxvmg 
through the tunnel it the gateway, are routed to the 
resource. A ninth means arranged to cooperate with the 
gateway administrating the handling of data packets until 
tjiat data packets arriving from the resource destined to 
the first computer, are at the gateway routed through the 
timnel to the first computer via the device. 

I 

Different embodiment^ of the device according to the 
invention can be reached according to additional feat ores 
mentioned above in connection with the description of the 
method according to !the invention. The features of the 
above described different embodiments of a de«.ce 
according to the invention can be combined in any desired 
manner, as long as no conflict oeours. 
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By providing a device and a method for accessing one or 
m are hosts within a private intranet, a plurality of 
advantages over prior art systems are obtained. 
to the invention a route process /connect ion is made within 
5 a 'requesters network, which could also be a private 
intraTet. Complete transparency is achieved; there is no 
restriction as to what protocol is used. The 
requester/user does not have to have any understanding of 
thf set-up, such as the use of special ports or hosts and 
10 other network issues. The routing is name based; r . 
requester/user requests access to a name of a host and 
will get an IP number in return to be used for access to 
the requested host. A requester is totally unaware that 
the request was intercepted and a route was set-up to 
respond to the IP number that was returned to the 
requester. All authentication and security Issues such as 
access control can be handled by the private intranet to 
which access is desired- All the set-up at the 
requester's side that is required is some means of 
20 intercepting DNS requests before they are transferee to 
the internet. This means can, for example, be located :.n a 
gateway to the internet or at some other point logically 
before the gateway. This intercept means will have on« or 
more tunnels configured to one or more private intranets 
25 and will determine if a DNS request is for one of the 
private intranets or not. If it determines that the DNS 
request is for one of the private intranets then a route 
process is set-up with an arbitrary but for the requestor 
valid IP number and a mapping to the corresponding tumel 
30 is made. All access control can be handled at the ozher 
end of the tunnel, but in some embodiments some 
authentication and security is handled by the intercept 
Jeans. Preferably all address translation is also dons at 
the private intranet side of the tunnel, but in some 
35 embodiments at least some of the address translations can 
tje handled directly by the intercept means, preferably 
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urlder complete control of the private intranet side of the 
tunnel. Further advantages and variations of the invention 
wi Il become apparent from the following. 



5 

DESCRIPTION 'OF THE FIGURES 

T^e invention will now be described in more detail for 
explanatory, and in no sense limiting, purpose*, vxth 
10 reference to the following figures, in which 

Fig. 1 shows a diagram of communication situation to 
which the invention is suitable, 

15 Fig. 2 shows a diagram of an iinplementation of the 
invention, 

shows a flow chart of an example of an 
intermediate system processing. 



Fig. 3 

20 



Fig. 4 shows a flow chart of an example of a 
firewall/gateway processing when receiving :rom 
a' tunnel. 



25 Fig. 5 



shows a flow chart of an example ol a 
firewall/gateway processing when transferring a 
data packet from a second computer to a first 
computer. 



30 



DESCRIPTION OF PREFERRED EMBODIMENTS 



jjn order to clarify the system according to the invention, 
sjcme examples of its use will now be described ±n 
35 connection with Figures 1 to 5 . 



99 12/29 12:35 



11 600 723 



CEGVMARK & 8ESI 



PRV REGISTRATOR @014 

Ink. t. Patent- och reg.verket 
1999 -12-2 9 

Huvudfoxen Kassan 



13 



Figure 1 shows a diagram of a communication situation to 
which the invention is suitable. A user/requestor wfcich 
is situated at a first computer 101 connected to a farst 
computer network 103, which network can comprise several 
5 ccimputer networks, within a first domain 100, which car be 
open or private, desires to communicate/ gain access to a 
sicond computer 122, a destination host, connected to a 
second computer network 124, which network can jlso 
comprise several networks, which in turn is within a 
10 second domain 120 which is private. A private domain a s a 
domain which uses a private numbering scheme, i.e. hosts 
within the domain are not visible from the outside and can 
thus have the same number as a host on the internet. The 
first computer 101 and the second computer 122 are 
15 interconnected via, for example, an internet 110, a third 
cesnputer network, a network, which will most likely 
comprise many networks, by means of a gateway/firewall 105 
between the first computer network 103 and the third 
computer network 110, and a firewall/gateway 126 betv/een 
20 the second computer network 124 and the third computer 
network HO- Other types of interconnections between the 
gateway/firewall 105 of the first computer network and the 
firewall/gateway 126 of the second computer network 124 
are possible according to the invention. However, any 
25 direct ways of ordinary connection between the fLrst 
computer 101 and the second computer 122 is not possible. 
The second computer 122 is- not visible to the first 
computer 101 or to an internet 110, and if it is not 
visible then it is not ordinarily possible to route lata 
30 packages from the first computer 101 to the second 
computer 122. Several known, less suitable, solution* to 
this situation have been discussed previously. 

Figure 2 Shows a diagram of an implementation of the 
35 invention. The set-up is the same as in figure 1 wizh a 
fjirst computer 201, with a user /requestor, connected co a 
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first computer network 203, which can comprise several 
computer networks, which in turn is connected to a 
giteway/firewall 205, all 201, 203, 205 of a first do B .axn 
200 which can be open or private. The gateway/f irevall 
5 205 is connected between tihe first computer network 203 
aad a third computer network 210. The third compter 
network 210, for example tfce Internet, will most lively 
comprise many networks. There is also a second computer 
222 a desired destination, which is connected to a second 
10 computer network 224, which can comprise several ™*™* s > 
wfeich in turn is connected to a firewall/gateway 226, all 
of a second domain 220 which is a private domain. The 
firewall/gateway 226 is connected between the third 
•computer network 210 and the second computer network 2.4. 

15 According to the invention there is also an intermediate 
system 230, an intercept means, connected somewhere -nto 
the first computer network 203. The intermediate system 
can be placed anywhere in the first domain 200, as lorn? as 
20 it can intercept any DNS request from the first computer 
201 before the request reaches the third computer network 
2*0. To give a few examples, the intermediate system 230 
can be a process running on the gateway/f irewall 205, an 
intelligent connection box logically connected between the 
25 first computer 201 and the gateway/firewall 205, or ev*n a 
pfcocess running on the first computer 201. The 
intermediate system 230 is preferably implemented as close 
ab possible to, if not within, the gateway/f irewall 205 to 
, enable as many users /computers in the first domain 20 D to 
30 hiave access to it, and thus have the possibilities of the 
invention. The intermediate system 230 will configure at 
l^at one tunnel 231 from -the intermediate system to the 
fjirewall/gateway 226 of the second domain 220. A tunnel 
lis a logical network connection between two processes, 
35 encapsulating the traffic during transport. Traffic over 
such a connection is traditionally encrypted to prevent 
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eavesdropping. The tunnel or tunnels are preferebly 
authenticated at regular, or irregular, intervals. 

The intermediate system 230:will intercept DNS requests at 
5 iLt from the user or users and associate connec Uon 
P^nts/connected computers; for which the intermediate 
Astern is set-up, in this example the first computer -01. 
The intermediate system must at least xntercept DNS 
requests from the first computer 201 before the requests 
10 leave the domain 200. A user wanting a permitted access 
from the first computer 201 to the second computer 222 
requests this by naming the second computer 222. The DNS 
request will then be intercepted by the intermedr.ate 
svstem 230 which will determine if the requested name has 
15 aiy association with any tunnel 231 that is previously 
set-up. The determination can be based on a mappxnc, a 
list of hosts, or a regular or wildcard expression, 
preferred method the intermediate system 230 will try to 
match a domain name suffix of the second domain 220 to a 
20 dWm name suffix of the DNS request for a match to the 
tunnel 231 of the example. As can be seen, the 
intermediate system- does nbt have to be set-up with any 
details as to exactly which host or hosts are requested 
fbr within the second domain 220. If there is a match the 
25 intermediate system will set-up a route to the se=ond 
domain 220 via a tunnel 23i in view of the match, in chis 
case the described tunnel 231. An IP number, a temporary 
random IP number, will be generated/made and associated to 
the route. The generated/given temporary random IP number 
30 mvst at least be valid within the first domain 200 so that 
communication addressed to that temporary random IP number 
Will be correctly routed tfe the associated tunnel 23 L of 
tine intermediate system 230. The first computer 201 will 
det the temporary random ±P number back as an answer to 
35 its DNS request and then use this temporary randon IP 
number for all communication to the second computer 222, 
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ti least during this sessiln. The communication will end 



25 



: UE ! at the route interface, which in turn will send xt c own 
t Re tunnel for correct routing to the desired destination, 
t *e second computer 222. Th4 temporary random IP numbei x. 
capped to the complete name of the DNS request and sent as 
HLsage to the gateway/firewall 226 at the other enc of 
^ tunnel. The gateway/firewall 226 at the other enc of 
£ — 231 will deal with all the details of ~, 
packages ttf and from the correct desxred 
case the second computer 222. Return coimnunicatxons *rxll 
either have the correct destination, the first computer 
201 when they emerge from the tunnel 231, or there has 
been some address translation in the intermediate system 
230, governed by the gateway/firewall 226 of the . second 
domain 220, in which case tfe intermediate system ^30 will 
retranslate the communication so that it will be routed 
cirrectly within the first domain 200 to the fi:-«t 
computer 201- 

For an even better understanding of the invention, it will 
be explained in reiation to flew diagrams of a specie 
implementation of the invention. Flow diagrams descexbe 
something as a string of ekrents, one after another. The 
di fferent processes ' according to the invention are mostly 
independent event-diiven processes. The major difference 
lb that the processes of the invention might not appear in 
the order described below, but it is believed that the 
flow diagrams can however provide an easier understanding 
ojf the invention. 



30 



Figure 3 shows a flow chart 



35 



of an example of the processes 
of an intermediate system according to one specific 
iimplementation of the invention. In a first step 340 one 
or more predetermined tunnels are configured and 
tables/mappings are generJted/set-up. A table can, for 
example, be set-up in a majbrix where each line composes; 
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a destination 
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10 



a i user (optionally), a source IP number 
domain (..« r *.ericsson.se> access time or times to the 
destination domain (optimally), a tunnel to the 
destination domain. The aiount of information con.pri.ed 
lT a table and the manned it is stored and mutually 
associated will vary in dependence of an i^lementatxox in 
question. A table /mapping can preferably be *^ c <£* 
updated, i-e. inf oration/ Uries added or 
far example, a destination ^omain- In a second step 341 
after Z first step 340, authentication of the configured 
tunnel (s) and of configured users /requesters is done for 
example, from which source IP number (s), e.g. the J" r ^ 
center, when, and to which domains access x. allowed. In 
• * . _ ^, «.«.^«t,h ct-cn 341 it IS 



15 



a; third step 342 after 
determined if there is any 
not, if there is none then 



20 



25 



30 



35 



the second step 341 it is 
communication to intercept or 

Lt simply returns to itself- If 
not, n tneie is "-""f 

there is some communicatlo^ to intercept, the procedure 
continues with a fourth stei> 343 after the third step J42. 
The fourth step 343 determines if the communication was a 
CMS request or not. If the communication was determined 
to be a DNS request, then the procedure continues with a 
fifth step 344 after the fourth step 343. The fifth step 
344 determines if the DNS request is from a configured 
user, e.g. the first computer, or not. If the DNS reqiest 
is determined to have originated from a configured iser 
then the procedure continues with a sixth step 345 after 
the fifth step 344. The |*ixth step 345 tries to match 
domains, in the configured user's map/table, with the 
dpmain of the DNS request. Thereafter the procedure 
continues with a seventh Uep 346 after the sixth step 
3145 The seventh step 346 determines if there is a match 
dr not. If there is a mate}, then the procedure c-tinues 
viith an eighth step 347 after the seventh step 346. The 
eWh step 347 retrieves the entries of the user s 
map/table which correspond to the match of the seventh 
Step 346 and also generates a temporary IP number, 
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temporary random IP number, which is a valid IP numbei in 
view of the place of the intermediate system. The 
intermediate system dynamically allocates a temporary IP 
miiober. Thereafter the procedure continues with a ninth 
5 s tUp 348 after the eighth step 347. The ninth step 348 
Jtps the temporary random lb number to a tunnel accorcdng 
tf the retrieved entriei in the user's map/talde^ 
Thereafter the procedure cf tinues with a tenth ^J** 
after the ninth step 348. fhe tenth step 349 will serd a 
10 Wssage through the tunnel jith a ma PP ^ of the ternary 
random IP number with the Complete DNS request/ i.e. the 
^ete name of the desire* .destination, e.g. the second 
computer. Thereafter the procedure continues with an 
Seventh step 350 after th^ tenth step 349. The eleventh 
15 step 350 returns the temporary random IP number to the 
fester, e.g. the first Uputer, in answer to the ms 
request- 

liE in the fourth step 343 it was determined that it was 
not a DNS request, then A. procedure continues with a 
twelfth step 351 after the] fourth step 343. The tweLfth 



20 



tweirtn step mi — - . . n _ 

step determines if the communication ^ a f 3 ^ p ^ ^ 
not. If it is determined 
procedure continues with a 



25 



30 



35 



to be a data packet then the 

thirteenth step 352 after the 
proceouxe wiiuiiiu^j — i . 

twelfth step 351. The thirteenth step 352 determine* if 
the destination IP number If the data packet 
any temporary random IP nvUber which is mapped with the 
source IP number of the daJa packet. If there is a match 
tlhen the procedure continues with a fourteenth step 353 
aifter the thirteenth step 352. The fourteenth step 353 
sends the data packet in I tunnel according to the match 
dnd corresponding mappinfe/table entry. If It was 
d'etermined in the twelfth Up 351 that it was not a data 
packet, then the procedure continues with a fifteenth step 
is* after the twelfth stei 351. The fifteenth step 354 
will ensure that the communication gets attention by neans 
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thirteenth step 352 that 
procedure continues with a 
thirteenth step 352. Thd 
normal routing of the data 
in the fifth step 344 that 
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10 



If it was determined in the 

-:here was no match, then the 

sixteenth step 355 after the 

sixteenth step 355 provides 

packet. If it was determined 

the DNS request was not frcm a 
in the tutn sw^ uie ^ 

configured user or if it Us determined in the seventh 
step 346 that there is no natch in the users domain name 

continues with a seventeenth 
itep 344 or after the seventh 



Ttep -314 or an." w« 
[step 356 provides a normal DNS 



15 



20 



table/ then the procedure 
step 356 after the fifth 
s-tep 346. The seventeenth 
request processing- 

Wiat happens next? . We hkve opened a route interface 
piocess at the intermediate system and are now sending 
dita packets and messages dU a tunnel. Figure 4 shows a 

exejmple of a second donain 
when receiving from a tunnel. 
Ih a first step 460 tie procedure waits for -some 
communication received from a tunnel, and returns to 
itself as long as there i= none. However when there, is 
sbme communication -receded from a tunnel then the 

r 1 i _.. ^ a a-Fi-A-r the first 



flow chart of an 
firewall /gateway processing 



25 



procedure continues with a 
step 460 . The second 
communication is a mtessage 
random IP number with a DNS 
sisnt by the tenth step 349 



second step 461 after the first 
step 461 determines if the 
with a mapping of a tempo cary 
request, or not, e.g a message 
of Figure 3. If it determined 



30 



djata packet to be routed or 
ijt is a data packet to 



tjemporary random IP number 



that it is not a message with a mapping then the procedure 
continues with a third step 462 after the second step 461- 
The third step 462 determines if the communication ..fl a 

. i- -r- * A « ^a-l-orm-l TtAfi that 



not. If it is determined that 
be routed then the procedure 



continues with a foufth step |463 after the third step 462. 
ijhe fourth step 463 determines if there exist.s a 
35 gapping/table or not; for tte destination IP number i-e a 
! • of the cata packet. If there 
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ejd-sts a mapping/table for ' 



• security control of the, 
communication cam© is OK 
determined that 



10 



IS 



20 



25 



e^sts a WP p^,^ {*• destination IP number then 

the procedure continues wi^h a fifth step 464 after the 
fourth S te P 463. W fifth step 464 determxnes if 

tunnel through which tne 
and still valid. If it is 
determine «« the security of the tunnel is 
satisfactory, then the procedure continues with a sixth 
sL P 465 after the fifth ttep 464. The sixth step 465 
determines if, accorckng to the table/map, the sour ce IP 
nl Uer, e.g. the IP number of the first computer of the 
data have allowed .access to the destinat « IP 

nimber, i.e. the temporary random IP number, of th » Hrt. 
packet. If it is determined that the data packet from the 
source IP number l»r accesf to the destination IP nur^er 
then the procedure continues with a seventh step 466 i=tu 
tie sixth step 465. ! The seventh step 466 translates, re- 
maps the source IP nuW, *.g. the IP number of the f..rst 
computer, to a temporary locally valid IP * 
temporary local IP ^rnber . This is done so that the 
picket can be routed property In the second domain. A.ter 
the seventh step 466 the procedure continues with an 
eighth step 467 which lookups the real local IP number of 
the destination, e.g= the second computer, by doing a DNS 
request in the second domain on the name received with the 
nipping to the temporary rindom IP number. The procedure 

1 - - step 468 after the eighth 3tep 
468 translates/re-maps the 
.e. the temporary random IP 
to the real local IP number of 



then continues with a ninth 
4!67. The ninth j step 

destination IP number, : 
njumber, of the data packet 



30 



numoer, w — " 

tihe destination, e.g, the second computer. Thereafter the 

I _^ . a ira f-Vt*> ninth 



procedure continues with a 
srtep 468. The tenth step 
tihe second domain to the 



35 



tenth step 469 after the ninth 
469 routes the data packe- in 
tine seconci wwa4.« ^ destination, e.g. the 

computer, with the rjel l^ckl IP number as destination and 
tihe temporary local |P numter as the source. 
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If it was determined in ihe second step 461 that the 
comniunication was a map/t adle massage then the procedure 
continues with an eleventh step 470 after the second .-tep 
461 The eleventh .step 470 receives a mapping o: a 
temporary random IP number with a DSS name, e.g. the 
second computer, of the serond domain, and adds this to 
its mapping. If it was determined in the third step 462 
that it was not a data , acket to be routed that was 
i^ceived through the tunned then the procedure continues 
with a twelfth step '471 alter the third step 462. The 

appropriate processing, ir it 
step 464 that the security of 



15 



20 



twelfth step 471 does* other 
w^s determined in the fifth 



with a thirteenth step 472 
thirteenth step 472 will 
tnnnel, and then return anc 



was aet©i3nii*«v j-** ~ - 

the tunnel is not valid then the procedure could continue 



after the fifth step 464. The 
then try to authenticate the 
continue with the fifth step. 
I* it was determined in tie fourth step 463 that there 
does not exist a mapping/table or if it was determined in 
the sixth step 465 that the source IP number is not 
allowed access to the destination IP number, then the 

a fourteenth step 473 alter 
or the sixth step 465. The 



procedure continues with 
either the fourth step 462 



25 



packet, the « destination is 
will also be alerted of an 



fourteenth will reject re< uest, and not route the data 



unknown". Preferably security 
ittempted breach of security. 



As mentioned, packets must 



30 



35 



be able to be sent back to the 
original requester. Figuf 5 shows a flow chart oi an 
example of firewall/gateway [processing when transferring a 
data packet from a second computer to a first computer. In 
a* first step 580 .it is checked if there is any 
communication from within t ie second computer network, and 
it- not then just | retur, ! to itself. If there is 
communication from within 'the second computer network, 
then the procedure continues with a second step 581 after 
the first step 580. • The second step 581 determines if it 
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ii a data packet that should be routed. If it is a cLata 
packet to be routed .then the procedure continues with a 
third step 582 after the sefond SteP 581 ' ^ f 
562 determines if the destination IP number of the data 
picket is equal to any valif temporary local IP number If 
tie destination IP number ! is matched then the Procedure 
continues with a fourth ste^ 583 after the thxrd step .82. 
T L fourth step retrieves the mapping/table 1-hat 
corresponds to the matched ,\ temporary local IP 
thereby find out where, which tunnel, to route the a 
ptckage- After the foufcth step 583 the procedure 
continues with a fifth ste P :>584 which translates <re-™ P s> 
tie source IP number, tie IP number of the second 
computer, of the data pac* f t to the tempo » 
number according to table 0 Up) . After the <^«"F»" 
the procedure continues , ith a sixth step 585 which 

destination IP number, the 
of the data packet to th* IP 
according to the table (map) . 
586 after the sixth step 585 
:*Scred in an appropriate tumel 
If it was determined in the 
lot a data packet that is to be 
continues with an eighth step 
587 aft^Yhe" second .tfcp 581 and does some other 
processing. If it was determined in the third step 582 
tnat the destination' IP number of the data packet is not 
e*ual to any valid :tempo lf ry local IP number then , the 

'ninth step 588 after the third 
routing of the data packet. 



translates ( re-maps ) : the 
temporary local IP number, 
number of the first compute 
. Thereafter in a seventh st 
the data packet is transf 
according to the table (map 
sacond step 581 that -it is 
rbuted then the procedure 



procedure continues with a 
s[tep 582 and does a normal 



The present invention caH be put into apparatus-form 



ejither as pure hardware 



35 



as pure software or as a 
agination of both hardware and software- If the method 
^cording to the invention is realized in the fom of 
Software, it can be \ completely independent or it cai be 
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The software can suitably 



a 024 



one part of a larger iprogr<b. „_ 

be located in a generil-pur|ase computer or in a dedxc^ted 
computer - \ 



5 as a summary, the invention 



can basically be describee; as 
a, method of accessing one <* more hosts within a pri-ate 



network by means of a; route 



'interface process. 



Tfca invention is not iltailttil to the embodiments descried 
Z,l but M y k. «ried wi lhin the scope « the appended 

I , i 

patent claims, i 
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a diagram of com mhication situation to which 
the invention is : uitable, 
open or private ti rst domain 

first computer, 

network, can comprise sevesral 



user/requestor, a 
a first computer 
computer networks 
gateway/firewall 
network and a thi: 



between the first 
d. computer network. 



computer 



network: ana a ^ « . 

internet, the third network, will most likely 
comprise many neti orks 
private second doi iain r 
a second computer a destination, 
a second computet network, can comprise several 
networks , 

a firewall/gate^/ .between the second computer 
network and the t drd computer network. 

a diagram of an i Cementation of the invention, 
open or private ^ .rist domain, 

first computer, a source, 
network, can comprise several 



user/requestor, ai 
a first computer 
computer networks 
gateway/firewall 
network and a th; 
internet, the th 
likely comprise 
private second d 
a second compute 
a second compute 
networks , to wi 
connected. 



will most 



t>etween the first computer 
rd computer network, 
:d computer network, 
iriy networks, 
tin, 

ja destination, 

network, can comprise several 
[ich the second computer is 



1 
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341 



15 
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3M 
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system between the tt.ird 
and the first computer, the 



a firewall/gatewa/ ; between the third compvter 
network and the ■ second computer network, the 
second computer r 
an intermediate 
computer network 
source, 

a tunnel from tl e intermediate system to the 
firewall . 

flow chart of an example of intermediate system 
processing, 

. configure tunned and generate tables /mappings 
from 340: authentication of tunnel (s) and of 
users/requesters, for example from which source 
IP number(s), e-g the first computer, when, and 
to which domains,' 

from 341 or no fr mi- itself: any communication - 
yes from 342: is .fa DNS request ? 
yes from 343: is ' .t from a configured user, .i.g. 
the first compute: 2 

yes from 344: t cy to match domains, in the 
configured user' s| *ab le < with the domain of the 
DNS request, 

from 345: is thef » a match, 
yes from 346: get 



temporary IP nrt fiber 



number, which is 
the place of the 



tunnel according 
from 348: send 
mapping of. tempo 1 
DNS request, 
from 349; return 
requester, e.g 
the DNS request. 



*ap/table and also generate a 



a teiqporary random IP 



a valid IP number in view of 
Intermediate system, 



C — 

from 347: map the temporary IP number to a 



zo the retrieved map/table, 
message through tunnel with 
■ary random IP number with the 



temporary random IP number to 
ie first computer, in answer to 
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yes from 351: does 
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a data packet ? 
of the data packet. . 

ye s from 352: se|d data packet in 
according to mappJgjtable entry, 
no from 351: other processing, 
Z from 352: normal routing of data packet 
no from | normal UHS 

no from 344 or n& from 346. 

request processing 



I , 

fl „w *«t of an ° f firWSl1 »«— 11,8 

when receiving fro. a tunnel, 
no fr=» |o»™»l=ation r«eiv«i fw». 

tunnel? 

yes from 460: is 
message? 

no from 461: is tjie 
to be routed? 

yes from 462: do 

for the destinatij- 

random IP number, of the data packet? 

L- * T o . oarnrl tV 



tJe communication a map/table 

1 

communication a data packet 

there exist a mapping/t&ble 
IP number, i.e. a tempoiary 



yes from 463 or 
tunnel, through w: 
it OK, still vali 
yes from 464: do 
the source IP w 
first computer 



L iom 472: security control of 
.ich the communication came, is 
» 

„ according to the table/map, 
Jr. e.g. the IP number of the 
the data packet have allied 

II , ~-e v-ic» Hat 

temporary random 
yes from 465: tr 



e.g. the IP » 
temporary locall 
local IP number, 



t „ number, of the data packet ? 
dilate /remap source IP number, 
ir of first computer, to a 
kralid IP number, a tempcrary 
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FIG 5 



25 580 
5B1 
5182 



30 



5j33 



^84 

35 



27 



destination, e.g. * ne seco 



the second domain, 
from 4 €7: translate! 
i.e. the temporary 



packet 



to the 



destination, e.g. j-y — - _ _ ffld 
fr om 468, route t ie; data Packet 



domain to the 
computer, with 



real local IP number of 



/remap destination IP number, 
random IP number, of the d*ta 



real local IP 



number of the 



■he second computer, 



destination, e.g. the second 
the' real local IP number as 
computer, with the re numb er as 

destination and thL temporary local IP numb 

the ^ c °< ^ a of a tempore 

y es from 461- rec.x^ ^ ^ ^ ^ _ g the 

cf the second domain , 
heir processing. 



random IP nunfeer 
second computer, 
no from 462: do ot 



:: t f r Tu« J« P.c te „ —nation 

i .i.i.^Msi-ari break lUi 



alarm security of 



fiow chart of an 
when transferring 



an attempted break in. 

example of firewall processing 
4 data packet from a second 



computer to a fir it computer, 

nTfrom itself: [communication from w,thin the 



second computer network ? .wi* be 

yes from 580: is it. a data packet that should be 

r y r"ol 5.1. * - destination IP 

La data packet „qual any valid temporary local 

ZrTZ S.2> ^ mappWtable to find out 
Tere which to route the data package 

~ «»■ tr^lUe (remap) ^ ■ J 



number, the IP n, artier of the second compute, 
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58£ 
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the data packet t 
according to table 
from 584: transla 
number, the tempo 
data packet to 
computer according 
from 585: transfe; 
tunnel according t 
no from 581: other 
no from 582: normaj 



temporary random IP number 
(map) r 

(remap) the destination IP 
Ly local IP number, of the 
Le IP number of the first 
to the table (map) , 

data packet in appropriate 

table (map) 
processing, 
routing. 
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» -thcd of estlushlM a connection bc..- 
x -r ter network and a 

, ;£ir3 t ««ut« ° £ * T Mtwork ,1. a third networic, 
Source ox a •^"rt^l.t. ayste* havin, an 
al ? n, a ^* ne twork, and ttaou,* a 

i4.rf.oe to th ' * "^t the second computer network 

and tb. third network, "f* ^ the n*f>od 

donaln of th« gateway oha+oterl— 

prises thef^lowin,^. ^ ^ ^ 

configuring the in^ecne flatawav; 
fr om the intermediate iystem to th. 
mapping the tunnel w** a requester and 
name of the gateway, , connection 
the requester issuing a request tor 
the reque ^ rtt L ut - r to the resource by 

from the first conputer 
specifying a name of tie resource; 

specifying t inte rmediate system via 

receiving the request at. the i^ e n» 

the interface; reso^irce 
using a rule for matJ^g the name of the 

25 with the gateway [ 

capping the name of thb resourc 

temporal" IP number to tne 

the request; 

XP number to the name of the 



15 



20 



30 



returning a 
computer in answer to 
mapping the temporary 

resource; . the hatld ling of data 

the gateway administrating by ^ 

rirst col* ... a .. ftU f«d to the resource; 

through the tunnel, a.,e routed to 
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tne gateway administr* ting the handling of data 
the gateway J : packe ts arriving from the 



are rout ed 
the first computer via the 



The method^ according to clai* 1. — "* 
in W the method further emprises the step of: 



transmitting a messag 
temporary IP number to 
tunnel. 



5 with the mapping of ':he 
tine gateway by means of -he 



20 



_ ' The method 

•3 ■ i 

characterised, ia 

administrating the handling 
packets addressed by ;the f 
IB number, arriving through 
resource, comprises the subs 
directing the 
source addresses of 
temporary IP number to 



according to claim 1 or 2, 
s tep of the gateway 
of. data packets such that data 
filrsit computer to the temporary 
the tunnel, are routed to the 

tap of: 

^ system to translate 

data packets addressed to the 

be sent through the tunnel - 



intern ediat 



25 



30 



The method accoiding to any one of claams 1 to 

cbaractari.^ *T ~ ^ a ket3 such that <iata 
administrating the handling ^ tfte tempo ,ary 

packets addressed by; the f irst compu 
?P number, arriving Urougt the tunnel, are routed 
^source, comprises the sub*e P of: tran slate 
1 airecting the | i— ^ addr-sect to 

destination addresses ^ ^ threugh the 

■ te ^ r * ry I' o rrieast a partial DNS function 

tunnel, by means of at least a p 

' in the intermediate system. 
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claim 1 
of the 



or 2 1 
gatevay 



10 



5. ; The 

eh4xaoterlsed i» TJ. Ha ^T ac )cets such that dzta 

Seating the handing f %q ^ tempori . ty 

packets addressed by the fi±^ ^ ^ ^ 

IP i number, arriving through the tunne 

re «, CO - ri9 ^:i:^± P strce addresses of data 
- the gateway translate .g addreSS ed to rhm 

packets arriving through the tunnel _ a 
temporary IP number arjd routing these data p 
to the resource. 



6. 



The method according to claim 1, 

Qhtoaefeanzed In **at 

adininistrating the handling 



15 



IP, number, arriving through 
resource, comprises the subs 



the gateway 



2, 3 or 5, 
the step of the gateway 
of data packets such that data 



p*»t. ?- * t 3el, ~. route* to the 





the tunnel, are routed to the 
tep of: 

of 



20 



data packets arriving 
to the temporary IP 
packets to the resourc4 



translating destination addresses 



va^^ 

through the tunnel addressed 
number and routing these c;ata 



Ih . M t„o d .ccokn, to * "^"LS 



25 



. the step of the gateway 
j of data packets such that «iata 
resource destined to the first 

- H^ry.-: 1 =-- M £ir tr. 

via the intermediate system, ^ f 



30 



6i charactarixed in thai 

administrating the handling 
pkckets arriving from the 
computer, 
c'pmputer 

siabstep of: „„• destination 

^ oatewav translating source ana 

- sjs o f y ^ r^r:-: 

destined to the £1^6 computer, and routing 
data packets throug> . the tunnel to the 
computer via the inte: mediate system. 
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10 



**. method according to any °- ^ 

i» step ° £ gateway 

6, , 4uzact*»>«l *» I: . paclcets such that di,ta 

^nl.trating the ^"M*^ P dMtine d to the first 
p^t. arrive fx. «-*r"£ tuIlnel „ the fix* 

source and destmatxo , jaw- ^o-M^d 
arriving from the resource via the tunnel destined 
to the first computer. : t . 

The method accoriln, to any on. o* cla-s 1 to 



15 



20 



25 



8, ohaxraotor±»od i» **** 

t^lecoimounicationa network 



1Q. 



8 



in 



that 



the 



third network is 



The method according to any one of claim, 1 to 



'I the 



third network is the 



characterized 

Xnrternet. 

,i The method accoldiing to any one ot claims 1 to 

« <*«.J^d i. U r»l. for matching the nam. 

£'t£^t with the g^evay Is based on a maoplng. 



n The method acco 

10, characterised in th»* 

o£ the resource with the 

t 

hosts. 



;:!ding to any one of claims L to 
ihe rule for matching the \ame 
gateway is based on a lisv. of 



30 



. The method 
IjO, characterized in that 

of the resource with the 
wildcard expression. 



according to any one of claims 1 to 
the rule for matching the name 
gtteway is based on a regular or 
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14- The method accon 

10 .j characterised i» tha* 

of • the resource with the g; 
doiriain name of the name of 
naie of the gateway. 

15 [ The method • accon 

14', characterised ia that t: 

step of: 

authenticating the re 
for access to the' tunn< 



Lg to any one of claims 1 to 
Ik I rule for matching the n*.roe 
feeway is based on matching a 
the resource with the domain 



[ihg to any one of claims 1 to 
' method further comprises -he 



iester at the first computer 



Ji 
il. 



16| 
IS 



15 



The method accoj 
characterised ia *hat 

corresponds to a second 
computer network, the secc 
ddmain of the gateway and 



ing to any one of claims 1 to 
the name of the resource 
computer within the second 
'.d computer belonging to the 
' irising the resource. 



20 



^ T he method according to claim 16, 

j J . tn Ij .gateway administrating the 

ctlaracterized « that **** 7 kets aadre ,sed 

idling of data packets sufch .that ^ da P 
. .^^ f - rgt computer to th«s temporary ir numu 
by the first compu ^ res ource residincf on 

through the tunnel, are rouj^a to 

i - _ - - J_ ^> ^ * 



tfee second computer. 



25 



i« The method j accorc-^y — - 

^ . «/»t thU ' gateway administrating the 
characterised on tnat th- ga * Dacket s addressed 
idling of data packets ^J^^/^;^^ 
* «- computer to ^ 



according 



to claim 16 r 



30 



Of/ IflB ^ 

though the tunnel, are .pr rnn0utar 

^source residing on a pro*y «f the second computer. 



Routed to the resource. 
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Impendence on an identity of 



„ to establish a connectr.on 
J first computer network ami a 
, i network via a third network, 
.vice having an interface to 



10 



20 j A device arrang«j& 

between a first computer of 
resource of a second compute) 

aKpng a route through! ^Jr"'^ thrOUgh a gateway 
th^ first computer .netwofck, and 
intervening between the se 
third network, the resource 



15 



to the gateway , jj 
means arranged to map' 
and a domain name' of t" 



^rJd computer network and ^he 
Uonging to the domain of --he 
third network «- ^ST^t t ne device comprises: 
gateway <*~*°***^ ^ ^ a tunnel from the device 
means arranged to configure 

[he tunnel with a requester 
_ gateway, 

Ue. a request, issued by the 



20 



requester, 
the first computer to 
name of the resource, 
means arranged 4p use 



'the resource by specifying a 



rule for matching the name 
gateway, 
the name of the resource to 



25 



30 



35 



of the resource with t je 
means arranged to maF 

the tunnel, |i j lP numbet to 

^eans arranged 'to re*m a temporary IP n 
the first computer in *nUr to the 
ro eans arranged | map j*e temporary IP number to the 
name of the resource, : ; oa t-way 

=- =±-l-^L^,.i- 

that data ^r r [ trr^in, through th. «nne! 

tlxe temporary IE numo^r^ 

that data pa^.t= I driving from th. 
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the device. 
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Method and system for communication 



! 

ABSTRACT: 

^ Jr establishing a connection 
A ; method and a system f r 6 t conputer netwrt ani a 
b etween a first — ^££Ti m a third networ, 
source of a second ^ ^ 3econd comp uter 
a gateway ---pH jester i.— • 
network and the thxra j corop uter to the 

.revest for a connection jH ^'^^ A t^.«y 
resource by specifying a narae o 

in answer to 

xJ number is * ^ ^mapped to a tu,nel 

«j. request. «- a jJLinistrates the handlinc of 

t o the *^-2^2™X*c^s addressed by the first 
d* ta packets such ^ arriving through the 

center to the n ^ ou ; ce ^ data packets 

tunnel, "^^^^elLtined to the first compter, 
arriving from the resource computer, 
are routed through the tunnf 1 to the first comp 

(Fig. 2) 
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